Details
| Publication type: | Conference paper |
|---|---|
| Conference: | ITASEC 2021: Italian Conference on Cybersecurity |
| Location: | Virtual |
| Online publication date: | 2021-08-09 |
Abstract
Modern malware increasingly exploits information hiding or steganography to elude security frameworks and remain unnoticed for long periods. To this aim, a prime technique relies upon the ability of creating covert channels to bypass the limits imposed by a sandbox or to exfiltrate data towards a remote server. Unfortunately, detecting a covert channel is not a trivial task and often requires to inspect a composite set of information, e.g., the behavior of a software or statistical indicators of network traffic. Therefore, in this paper we investigate the adoption of code augmentation features offered by the Linux kernel to gather data useful to reveal the presence of covert communications. To prove the effectiveness of the approach, we tested a lightweight program to detect covert channels targeting IPv6 conversations. Results indicate that technologies like the extended Berkeley Packet Filter can offer a foundation to frameworks for spotting and mitigating covert communications.
Authors
- Marco Zuppelli
This email address is being protected from spambots. You need JavaScript enabled to view it.
National Research Council of Italy
Genoa, Italy - Luca Caviglione
This email address is being protected from spambots. You need JavaScript enabled to view it.
National Research Council of Italy
Genoa, Italy - Matteo Repetto
This email address is being protected from spambots. You need JavaScript enabled to view it.
National Research Council of Italy
Genoa, Italy